Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-04-2021 09:04
Static task
static1
Behavioral task
behavioral1
Sample
download.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
download.exe
Resource
win10v20210410
General
-
Target
download.exe
-
Size
775KB
-
MD5
b945f5042cd642bd3057177de0604a56
-
SHA1
d680d790167a7f84f7e531b2d16db0a0e3359f73
-
SHA256
98388773dc5da7f73a32a08613404029c7cd23078d697700aec6b573b2fa8e09
-
SHA512
b8b0def1662f4bea4134049d883a53707a2dd94b193d213c1e2ca73742e1d03fb699eaed2137e71ed1985cf01ea268474bee4efa0f903697c63d106cf982fb45
Malware Config
Extracted
C:\Users\Admin\.oracle_jre_usage\9f6KKOh_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Documents\9f6KKOh_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\9f6KKOh_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 3516 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3872 3516 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3568 3516 wmic.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
download.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnpublishLimit.tif => C:\Users\Admin\Pictures\UnpublishLimit.tif.BDEDdeaBAC download.exe File renamed C:\Users\Admin\Pictures\ShowCompress.raw => C:\Users\Admin\Pictures\ShowCompress.raw.BDEDdeaBAC download.exe File renamed C:\Users\Admin\Pictures\CloseInvoke.png => C:\Users\Admin\Pictures\CloseInvoke.png.BDEDdeaBAC download.exe File renamed C:\Users\Admin\Pictures\DismountRename.png => C:\Users\Admin\Pictures\DismountRename.png.BDEDdeaBAC download.exe File renamed C:\Users\Admin\Pictures\DismountTrace.png => C:\Users\Admin\Pictures\DismountTrace.png.BDEDdeaBAC download.exe File renamed C:\Users\Admin\Pictures\PublishSync.crw => C:\Users\Admin\Pictures\PublishSync.crw.BDEDdeaBAC download.exe -
Processes:
download.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" download.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
download.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini download.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
download.exedescription ioc process File opened (read-only) \??\B: download.exe File opened (read-only) \??\I: download.exe File opened (read-only) \??\M: download.exe File opened (read-only) \??\N: download.exe File opened (read-only) \??\P: download.exe File opened (read-only) \??\Q: download.exe File opened (read-only) \??\S: download.exe File opened (read-only) \??\A: download.exe File opened (read-only) \??\X: download.exe File opened (read-only) \??\Y: download.exe File opened (read-only) \??\U: download.exe File opened (read-only) \??\Z: download.exe File opened (read-only) \??\H: download.exe File opened (read-only) \??\R: download.exe File opened (read-only) \??\T: download.exe File opened (read-only) \??\V: download.exe File opened (read-only) \??\K: download.exe File opened (read-only) \??\F: download.exe File opened (read-only) \??\G: download.exe File opened (read-only) \??\J: download.exe File opened (read-only) \??\L: download.exe File opened (read-only) \??\O: download.exe File opened (read-only) \??\W: download.exe File opened (read-only) \??\E: download.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 4224 vssadmin.exe 4348 vssadmin.exe 4480 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
download.exepid process 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe 3768 download.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2692 wmic.exe Token: SeSecurityPrivilege 2692 wmic.exe Token: SeTakeOwnershipPrivilege 2692 wmic.exe Token: SeLoadDriverPrivilege 2692 wmic.exe Token: SeSystemProfilePrivilege 2692 wmic.exe Token: SeSystemtimePrivilege 2692 wmic.exe Token: SeProfSingleProcessPrivilege 2692 wmic.exe Token: SeIncBasePriorityPrivilege 2692 wmic.exe Token: SeCreatePagefilePrivilege 2692 wmic.exe Token: SeBackupPrivilege 2692 wmic.exe Token: SeRestorePrivilege 2692 wmic.exe Token: SeShutdownPrivilege 2692 wmic.exe Token: SeDebugPrivilege 2692 wmic.exe Token: SeSystemEnvironmentPrivilege 2692 wmic.exe Token: SeRemoteShutdownPrivilege 2692 wmic.exe Token: SeUndockPrivilege 2692 wmic.exe Token: SeManageVolumePrivilege 2692 wmic.exe Token: 33 2692 wmic.exe Token: 34 2692 wmic.exe Token: 35 2692 wmic.exe Token: 36 2692 wmic.exe Token: SeIncreaseQuotaPrivilege 3872 wmic.exe Token: SeSecurityPrivilege 3872 wmic.exe Token: SeTakeOwnershipPrivilege 3872 wmic.exe Token: SeLoadDriverPrivilege 3872 wmic.exe Token: SeSystemProfilePrivilege 3872 wmic.exe Token: SeSystemtimePrivilege 3872 wmic.exe Token: SeProfSingleProcessPrivilege 3872 wmic.exe Token: SeIncBasePriorityPrivilege 3872 wmic.exe Token: SeCreatePagefilePrivilege 3872 wmic.exe Token: SeBackupPrivilege 3872 wmic.exe Token: SeRestorePrivilege 3872 wmic.exe Token: SeShutdownPrivilege 3872 wmic.exe Token: SeDebugPrivilege 3872 wmic.exe Token: SeSystemEnvironmentPrivilege 3872 wmic.exe Token: SeRemoteShutdownPrivilege 3872 wmic.exe Token: SeUndockPrivilege 3872 wmic.exe Token: SeManageVolumePrivilege 3872 wmic.exe Token: 33 3872 wmic.exe Token: 34 3872 wmic.exe Token: 35 3872 wmic.exe Token: 36 3872 wmic.exe Token: SeIncreaseQuotaPrivilege 3568 wmic.exe Token: SeSecurityPrivilege 3568 wmic.exe Token: SeTakeOwnershipPrivilege 3568 wmic.exe Token: SeLoadDriverPrivilege 3568 wmic.exe Token: SeSystemProfilePrivilege 3568 wmic.exe Token: SeSystemtimePrivilege 3568 wmic.exe Token: SeProfSingleProcessPrivilege 3568 wmic.exe Token: SeIncBasePriorityPrivilege 3568 wmic.exe Token: SeCreatePagefilePrivilege 3568 wmic.exe Token: SeBackupPrivilege 3568 wmic.exe Token: SeRestorePrivilege 3568 wmic.exe Token: SeShutdownPrivilege 3568 wmic.exe Token: SeDebugPrivilege 3568 wmic.exe Token: SeSystemEnvironmentPrivilege 3568 wmic.exe Token: SeRemoteShutdownPrivilege 3568 wmic.exe Token: SeUndockPrivilege 3568 wmic.exe Token: SeManageVolumePrivilege 3568 wmic.exe Token: 33 3568 wmic.exe Token: 34 3568 wmic.exe Token: 35 3568 wmic.exe Token: 36 3568 wmic.exe Token: SeIncreaseQuotaPrivilege 3496 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
download.exedescription pid process target process PID 3768 wrote to memory of 3496 3768 download.exe wmic.exe PID 3768 wrote to memory of 3496 3768 download.exe wmic.exe PID 3768 wrote to memory of 3496 3768 download.exe wmic.exe PID 3768 wrote to memory of 4224 3768 download.exe vssadmin.exe PID 3768 wrote to memory of 4224 3768 download.exe vssadmin.exe PID 3768 wrote to memory of 4224 3768 download.exe vssadmin.exe PID 3768 wrote to memory of 4276 3768 download.exe wmic.exe PID 3768 wrote to memory of 4276 3768 download.exe wmic.exe PID 3768 wrote to memory of 4276 3768 download.exe wmic.exe PID 3768 wrote to memory of 4348 3768 download.exe vssadmin.exe PID 3768 wrote to memory of 4348 3768 download.exe vssadmin.exe PID 3768 wrote to memory of 4348 3768 download.exe vssadmin.exe PID 3768 wrote to memory of 4400 3768 download.exe wmic.exe PID 3768 wrote to memory of 4400 3768 download.exe wmic.exe PID 3768 wrote to memory of 4400 3768 download.exe wmic.exe PID 3768 wrote to memory of 4480 3768 download.exe vssadmin.exe PID 3768 wrote to memory of 4480 3768 download.exe vssadmin.exe PID 3768 wrote to memory of 4480 3768 download.exe vssadmin.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
download.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" download.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" download.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" download.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\download.exe"C:\Users\Admin\AppData\Local\Temp\download.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3496-114-0x0000000000000000-mapping.dmp
-
memory/4224-115-0x0000000000000000-mapping.dmp
-
memory/4276-116-0x0000000000000000-mapping.dmp
-
memory/4348-117-0x0000000000000000-mapping.dmp
-
memory/4400-118-0x0000000000000000-mapping.dmp
-
memory/4480-119-0x0000000000000000-mapping.dmp